Menu

Tag Archives: Microsoft

While packaging a few Intel drivers (video driver, USB 3.0, chipset, management engine components, etc.) for our HP laptops, I noticed that each of the driver downloads contained a file named “mup.xml”. This file contains, among other things, information about valid command line switches for the setup.exe installer.

A snippet of the mup.xml file for our video driver is below. Some valid command line switches (which I haven’t fully tested) that appear within the file are:

I have been working on some unattended installation scripts for applications to be deployed through an SCCM OSD task sequence that builds our Windows 10 workstations. Happily, many of the lessons learned with Windows 7 are directly applicable to Windows 10. However, Windows 10 has made a significant change to the way applications are able to set themselves as the default application for handling certain file types.

Recently, I’ve been working on migrating our Adobe Acrobat XI package from Windows 7 to Windows 10. Among the first things we noticed was that in Windows 10, Microsoft Edge remained the default handler for the .PDF file extension, even though we had configured Acrobat to be the default handler through the Adobe Customization Wizard. This discovery led to much investigation about the changes in Windows 10 that are purportedly intended to protect a user’s choice of applications. I’m not altogether sold on this as a way of protecting user choice, as it seems more like it’s trying to force users into using the application of Microsoft’s choice rather than the one the user has installed.

A good technical explanation of the changes to the registry employed by Windows 8 and later to protect certain file extensions can be found in this post: http://appsensebigot.blogspot.co.uk/2015/10/deploying-per-user-file-type.html. To quickly summarize, since Windows 7, Microsoft has added a new registry subkey, named “UserChoice”, to certain file extensions under HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts, and the contents of the UserChoice subkey dictate the default application for opening the file type. The contents of the UserChoice subkey are protected from modification by a Deny permission applied to the current user’s account. Unfortunately, the workaround for Windows 8/Server 2012 R2 described in the post does not seem to work in Windows 10.

Let’s use Regedit to look at the registry entries for the .PDF file extension at HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf. Out of the box, Windows 10 will set the contents of the UserChoice subkey to have the Progid value point to Microsoft Edge, referenced by its Windows application ID. The Hash value will contain a data that seems to be generated from the current user’s username, the computer name and the application, meaning that it will be unique for each user/computer/application combination. Thus, it would be difficult, and foolish, to try to calculate that value ourselves. You’ll also notice that you cannot change the data of the Progid or Hash values through Regedit. If you right-click the .pdf key and choose Permissions, you’ll see that the current user has special permissions assigned. Clicking on the Advanced button will show you that the current user is prevented from setting values under the UserChoice key by way of a Deny permission entry.

All of this makes things look pretty bleak.

But Microsoft has not forgotten about us system administrators. They have provided a way forward!

The best description I’ve found of Microsoft’s horrible, short-sighted method for system administrators to get around the UserChoice keys and set default application file associations can be found at this TechNet blog post: http://blogs.technet.com/b/mrmlcgn/archive/2013/02/26/windows-8-associate-a-file-type-or-protocol-with-a-specific-app-using-a-gpo-e-g-default-mail-client-for-mailto-protocol.aspx. There are many reasons why this method is unusable, but a very obvious one is that it isn’t graceful for deploying different combinations of default applications to different users. It’s completely unwieldy for configuring a multi-user XenApp server where users may have different default applications for the same file extension. It’s also clunky when it comes time to deploy a new version of an application that has been previously configured, as we would need to know which other extensions have been configured for that computer in the past before we change the handler to new application. Read the comments if you are curious about how your fellow sysadmins feel about this method.

A better method would avoid these problems and enable us to configure default applications per-user. So let’s engineer something.

The first thing we need to do is somehow deal with that UserChoice key. While we are not able to change the values under the key, the permissions allow us to delete the UserChoice key itself, with a catch. The catch is that we can’t use a simple REG DELETE command to delete the UserChoice key as it returns an “ERROR: Access is denied.” response. Trying REG DELETE against the parent subkey, .pdf, will delete everything except for the UserChoice key. Watching this process with Sysinternals Process Monitor shows that reg.exe tries to open the UserChoice key while requesting “All access”, which it won’t receive. But we can use REG IMPORT to import a .REG file that deletes the key. So far, it appears that deleting the key one time prevents it from returning at subsequent logons, so long as you have a local Windows profile to log on to. If you are using a mandatory profile, I expect that the key will be created at each logon and you’ll need to delete it at each logon.

I have found that when the UserChoice key is absent, the settings under the file type key are honored.

Once we’ve dealt with that UserChoice key, setting the remaining registry values under the extension key that configure the default application is straight-forward and familiar.

An example of the registry method for Adobe Acrobat Pro DC

By way of example, below is a .REG file that I am using to configure Adobe Acrobat Pro DC (also known as Acrobat 2015) as the default application for .PDF files. This file will delete the entire .pdf subkey to get rid of the UserChoice key and any other values that would set Microsoft Edge to be the default handler and then configure the values under the OpenWithList and OpenWithProgids keys to make Acrobat Pro DC the default handler.

Windows Registry Editor Version 5.00
;Delete the .pdf key under FileExts to clear the Microsoft Edge application association (which is the default handler for .pdf) and the UserChoice subkey.
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf]
;Configure the .pdf key under FileExts to set Acrobat as the default handler.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList]
"a"="Acrobat.exe"
"MRUList"="a"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithProgids]
"Acrobat.Document.2015"=hex(0):

One way of deploying these settings would be to drop this .REG file onto the computer or a share on your network, then create a GPP Registry item, set to “Apply once and do not reapply”, that creates a value under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce to launch the command C:\Windows\System32\reg.exe IMPORT <path-to-REG-file>. At the user’s next logon, the RunOnce key will cause reg.exe to import the .REG file that deletes the UserChoice key and configures the default application. A nice advantage to using using the GPP Registry item is that it can be item-level targeted to a situation, for example, to an AD security group of users or to users logged onto computers with a certain application installed.

In my experience, the end result is that the user sees the correct Adobe Acrobat icon for .PDF files and double-clicking a .PDF file launches it in Adobe Acrobat without any prompting to set Acrobat as the default application for opening PDFs.

Over the Thanksgiving weekend, I upgraded one of my computers from Windows 7 to Windows 10 using Windows Update. It had been nagging me to upgrade for awhile and I finally gave in and did it. The upgrade appeared to go smoothly, but when I logged on to Windows 10 for the first time, I realized that I didn’t have any of my settings or files. I checked the Application event log and sure enough, I was logged in with a TEMP profile.

I Googled this a bit, thinking that perhaps it has happened to a few other people who could point me to a quick resolution, but it didn’t seem to be a common problem. Also, the proposed fixes (like running sfc /scannow didn’t strike me as being very promising.

So I open the Local Users and Groups manager (lusrmgr.msc) and checked the group membership of my account. I found that it was a member of the Administrators group and a HomeUsers group, but not a member of the Users group. I checked a Windows 10 computer that I had built from the 10240 build ISO as a clean install and didn’t find a HomeUsers group at all. Back on the problem computer, I added my broken account to the Users group, restarted, and logged in. This time, Windows took my account through the typical first-run setup stuff and then loaded the correct profile, with all of my settings and files from Windows 7 intact.

So, if you run into the problem where an account on a recently upgraded Windows 10 computer is missing settings and files, check the group membership. If the account is not a member of the Users group, you will not be able to log in properly. Add the account to that group, logout and then log back in. Your problem should be fixed

Today I learned that Microsoft Edge on Windows 10 does work with an Enterprise Mode Site List after all. I had been trying in vain for weeks (off and on) to get it to redirect into Internet Explorer those sites that I had configured to do so through the Enterprise Mode Site List XML file. As far as I could tell, I was correctly using the Group Policy setting “Allows you to configure the Enterprise Site list”, providing a valid UNC path to the sites.xml file on our DFS. No matter how I configured the contents of the file, Edge simply would not perform the redirection. The redirection would work flawlessly if I configured the Group Policy setting “Sends all intranet traffic over to Internet Explorer”, but I didn’t want to open all of our intranet sites in IE, and there were plenty of Internet sites that I wanted to open in IE.

Internet Explorer 11 on Windows 7 had been successfully retrieving the sites.xml file via a UNC path, rather than an URL, for months. Furthermore, Internet Explorer 11 on Windows 10 was able to retrieve the file via UNC path. Running short of new things to try, on a whim, I copied the sites.xml file to a web server and provided the path in the Group Policy setting as an HTTP address, and lo and behold, Edge happily loaded the file and redirected users to Internet Explorer.

To be sure I wasn’t making up the ability to use a UNC path, I checked the TechNet article Use Enterprise Mode to improve compatibility, which is part of the Microsoft Edge – Deployment Guide for IT Pros. It clearly states that the SiteList value at HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MicrosoftEdge\Main\EnterpriseMode accepts a UNC path, and this is what was being created by my Group Policy setting. However, the Group Policy setting’s field, into which you enter the path, asks for a URL. So, perhaps the TechNet document is wrong. Maybe the editor simply copied and pasted from the IE11 article Turn on Enterprise Mode and use a site list, and did not validate those instructions for Microsoft Edge.

Anyway, I hope that this post helps other systems administrators who may find themselves in the same situation, but I also wish that Microsoft would address this inconsistency between Edge and IE. A UNC path on our DFS (which is something within my control) is far easier for me to administer than a file on a web server (which is outside of my control).

A resource for troubleshooting System Center Configuration Manager (Current Branch) and System Center 2012 Configuration Manager Task Sequence failures through analysis of errors reported in the smsts.log file.

When an SCCM task sequence fails, errors are written to the smsts.log file. Sometimes the error is descriptive and it’s possible to quickly identify the cause of the failure. But often the error is logged as “Unspecified error (Error: 80004005; Source: Windows)”, which requires further investigation. In this post, I’ve assembled a few errors that I’ve personally encountered, along with my analysis of the cause. It’s my hope that this post can help other ConfigMgr administrators find resolutions to their problems.

There is a logical error or typo in the detection method. Note that in this error, the non-zero exit code line immediately follows the “… evaluate app policies” line. It suggests that the error is not with the application itself but with the data about the application.

The application may install successfully, but the detection rule cannot be evaluated successfully because it is illogical or invalid.

For example, if a registry key/value is used as the rule, the rule might be misconfigured to look for a key at “HKLM\SOFTWARE\VedderPrice\Windows 10 Default File Associations” in the HKLM hive, instead of “SOFTWARE\VedderPrice\Windows 10 Default File Associations” in the HKLM hive. (Note the extra HKLM at the beginning of the path.)

Resolution:

Edit the Detection Method for the application to correct an invalid rule.

The application in SCCM was not marked for dynamic app install, but is being installed as part of a dynamic variable list during the task sequence (the “Install applications according to dynamic variable list” option is selected in the Install Application step).

Resolution:

Edit the application’s properties and check the box labeled “Allow this application to be installed from the Installation Application task sequence action without being deployed”.

The application installer (in our case, the wrapper.vbs) did not error out, but the detection method could not confirm that the application installed successfully.

This is most commonly caused by a mismatch between detection method and what is actually happening during the installation. Typically, the application is installed successfully (hence the exit code 0) but the detection method is incorrectly configured (for example, there is a typo in the file path or registry key used as the detection rule).

If the computer is not joined to the domain, an application may fail to download unless the Deployment Type has, under the Content tab, the Deployment option for “Select the deployment option to use when a client is within a slow or unreliable network boundary, or when the client uses a fallback source location for content.” is set to “Download content from distribution point and run locally”. If the computer is not joined to the domain, it will fail to download content if the Deployment option for slow or unreliable network boundary is set to “Do not download content”. Confirm that the OU structure exists for the computer being imaged, that the Network Service Account has rights to create computers in the destination OU, and that the computer is being added to the appropriate destination OU.

The cache may be full. Check the CAS.log and look for the entries:

----- CacheManager: Even if all currently inactive cached content was removed there would not be enough space available for the request.
Not enough space in Cache

“If a new package that must be downloaded would cause the folder to exceed the maximum size, and if the folder cannot be purged to make sufficient space available, the package download fails, and the program or application will not run.”
– https://technet.microsoft.com/en-us/library/gg699356.aspx

The Software Updates step will download hotfixes to the cache, even if those files exceeds the size limit of the cache. However, if a step later in the task sequence attempts to download content to the cache, which is now full or even over-full, the download will fail with “Not enough space in Cache”.

The cache may not have sufficient space for the application. Check the CAS.log and look for the entries:

Cache Size is too small for requested content
CreateContentRequest failed

In the CAS.log, you should see the URL of the failing application in the lines immediately above the errors. If you have access to the Right-Click Tools in the SCCM Admin Console, choosing the “Change Client Cache Size” option will display the current cache size and allow you to change it.

If cache size is the issue, consider rebuilding the WIM via a Build and Capture task sequence, but increasing the cache size via the SMSCACHESIZE parameter in the “Setup Windows and ConfigMgr” step to set the cache size. It more recent versions of the SCCM client, the SMSCACHESIZE parameter can be used in the “Setup Windows and ConfigMgr” step in an OSD task sequence to redefine the cache size.

I have also attempted to resolve this error via an Update Content on the Deployment Type, even though the application in question has not been modified since it was working successfully a few days prior. The Update Content action increments the version/revision, which may be what resolves the problem.

I would also confirm that the Boundaries look OK.

In one case, the application’s file files appeared to be successfully downloaded, and the DataTransferService.log file showed that the DTS job completed successfully a few minutes before the error appeared in smsts.log. My best guess was that the content was downloaded successfully but the task sequence engine wasn’t informed of this, although later experimentation with using a Package instead of an Application confirmed that Trend Micro OfficeScan was preventing the downloaded files from being hashed by the task sequencer. It is my hypothesis that Trend Micro OfficeScan may also have been responsible for the failure to complete the Application download, although this isn’t proven out in the logs. We revised our exclusion rules to prevent Trend from scanning the folders SCCM uses to download content.

The resolution will vary based upon the actual cause, but I would recommend looking at the SMSTSAssignmentsDownloadInterval and SMSTSAssignmentsDownloadRetry task sequence variables available in System Center 2012 Configuration Manager SP1 and later. See: Task Sequence Built-in Variables in Configuration Manager

If you are still encountering this problem, I would suggest temporarily disabling your anti-virus, or creating exclusions to prevent scanning of the task sequence content download locations, and retesting.

Unknown. A few moments before the execution status 3, there is a line “NotifyProgress received: 4 (Application failed to install )”, indicating that the detection method did not find the application had installed.

We use a VBScript wrapper to provide a consistent method of packaging all of our applications. It appears that the application is failing when it is run from C:\Windows\ccmcache\, but the error response does not appear to be coming from the wrapper.vbs but a more generic error code from wscript (eg, some sort of invalid syntax).

In one case, the problem was resolved by deleting the content for this deployment type from a remote distribution point and redistributing it from the primary SCCM server.

Resolution:

I can only hypothesize that the exit code is coming from wscript.exe due to a logical error in the VBScript.

Unknown. In our task sequence, the Install Secondary Applications step installs any number of applications using Dynamic Variables, and this “Execution status received: 0 (No application state information is available )” error has only been seen when evaluating already installed applications in this way. The error has appeared for multiple different applications over time, and in each case, the application encountering the error is already installed on the machines, suggesting that the applications themselves are not at issue. The detection method should be detecting that the applications already exist, but it appears that the client cannot even determine the detection method.

Unknown. This seems to happen when a network connectivity problem causes a content download problem. This error has typically occurred on the first Install Application step in the task sequence immediately after a computer restart.

This is also occurring on install dynamic variable applications, in which event the smsts.log reads similar to:

An effective workaround is to add a Run Command Line step that executes a VBScript from a package that simply calls Wscript.Sleep to create two-minute pauses after each Restart Computer step that occurs before an Install Application step to allow the network time to come up after a reboot. I experimented with shortening the pause to 1 minute and heard reports that the computers were failing again, so I increased the pause back to 2 minutes and the problem disappeared completely.

With SCCM 2012 R2, new task sequence variables are introduced that may overcome this problem by allowing the task sequence to retry to download files or policy instead of quickly giving up and failing the step.

The Install Application step is failing to install applications from a dynamic variable list because the list does not contain any variables, even though it’s silly that the step would fail for this reason.

Resolution:

The workaround/resolution is to create a condition on the Install Application step that allows it to run only if the first application task sequence variable is set. For example, in our environment, the basename (or prefix) is “APP” and the suffix (the numbers) begin with “01”, so the task sequence variable “APP01” will exist if at least one application is in the dynamic variable list. Our Install Application step, then, contains a condition to only run if the task sequence variable “APP01” exists.

The application being installed kills the task sequence engine, leading to a 6 hour pause in the task sequence before it eventually times out after six hours and exits. More precisely, in our case, the Citrix Receiver Enterprise 3.4 installer first uninstalls Receiver 3.2, and during the uninstall process the task sequence engine process is killed.

The Install Application step fails after 6 hours exactly.

The application being installed does, in fact, successfully install according to 1) the Application event logged by our wrapper VBScript, 2) the application appears in Programs and Features, and 3) the application’s own About dialog box, which contains the correct version. In the case of Citrix Receiver Enterprise 3.4, it installs successfully in approximately 3 minutes.

The “Item not found” part of the error is misleading, as it seems to suggest that the content was not available, but it is.

Resolution:

We were not able to resolve this problem, but worked around the problem by pushing out Citrix Receiver Enterprise 3.4 as a required deployment outside of the task sequence.

BitLocker is tricky to get right, but the first step is to enable the TPM in the BIOS.

Error reported in smsts.log:

Installation of updates started
Waiting for installation job to complete
Notification received, that updates installation has failed
Received job completion notification from Updates Deployment Agent
One or more updates failed to install, hr=0x87d00656
Process completed with exit code 2278557270
!--------------------------------------------------------------------------------------------!
Failed to run the action: Install Software Updates. Updates handler was unable to continue due to some generic internal error (Error: 87D00656; Source: CCM)

Failed for reason:

Unknown. A small percentage of computers will fail to run Software Updates each month in the days after they are made available to them and they run our maintenance task sequence. Given enough attempts, the computers will eventually succeed in installing Software Updates.

Resolution:

None. If we put enough Install Software Updates steps (with a condition to Continue on Error) and reboots in between, most of the computers will successfully install the updates.

Error reported in smsts.log:

(Actually, no error is reported, but the task sequence fails to resume after a non-TS aware reboot immediately following a TS-aware reboot during the Install Software Updates step. The following typo-filled lines are written to smsts.log immediately after the second reboot.)

One or more updates is causing a second reboot during the task sequence. The task sequence engine is not anticipating this reboot, and so does not set aside the data required to resume the task sequence after the reboot.

This is a known issue with the way Software Updates are installed during a task sequence. See the KB article:

“You can avoid this issue in System Center 2012 Configuration Manager Service Pack 2 and System Center 2012 R2 Configuration Manager Service Pack 1 by using the new Retry option in the Install Updates task sequence step.”
–https://support.microsoft.com/en-us/kb/2894518

Error reported in smsts.log:

VerifyContentHash: Hash algorithm is 32780
Cannot open source file c:\_smstasksequence\packages\rtm00307\citrix receiver and plug-ins\de\wince\cesh3\icasetup.sh3.cab, Win32 Error = 32
Failed to hash file, Win32 error = 32
Hash could not be matched for the downloded content. Original ContentHash = 3A97E3916B3E2C0C6C5447637754A5DC3A674B9BC3D9F2CC703F320F4B62050B, Downloaded ContentHash =
Failed to resolve the source for SMS PKGID=RTM00307, hr=0x80091007
The user tries to release a source directory C:\_SMSTaskSequence\Packages\RTM00307 that is either already released or we have not connected to it
Install Software failed, hr=0x80091007
Process completed with exit code 2148077575
!--------------------------------------------------------------------------------------------!
Failed to run the action: Citrix XenApp 6.5 (Package).
The hash value is not correct. (Error: 80091007; Source: Windows)

Failed for reason:

We use Trend Micro OfficeScan as our antivirus solution. The OfficeScan real-time scanning was holding the file open, preventing the task sequencer from hashing the file to determine that it had been successfully downloaded. This caused the Package to fail and therefore the task sequence to fail. Uninstalling OfficeScan resolved the problem.

Error 32 translates to ERROR_SHARING_VIOLATION – The process cannot access the file because it is being used by another process.

Error 0x80091007 in smsts.log could also be due to a problem calculating the original content hash, due to problems with the source files, so check for hidden files and that annoying thumbs.db (also, reportedly, with binary replication of the package).

To search for the error code, one needs to convert the integer to a hex value (33 = 0x00000020). See: Win32 Error Codes

Resolution:

Temporarily disable anti-virus or any other software that would be scanning files as they are downloaded to the computer, to avoid conflicts with the task sequence engine verifying the integrity of the downloaded files.

This Windows Event Viewer query looks through the Network Profile/Operational log for network connection events (EventID=10000) where the “Category” equals “2”, which equates to “Domain Authenticated”. The neat part about this XML query is that it looks into the event details for additional criteria, which isn’t available through the filter GUI.

I use it as the custom query trigger for a scheduled task that initiates a few actions each time the computer is powered on/woken up while on the domain network, or has its network connection reestablished. A similar query without the Category=2 criteria would be triggered twice each time the computer is powered on: once when the network connection is established but on the public firewall profile (or something like that), and a second time when the connection changes to use the domain firewall profile (again, I’m not exactly clear).

Update 8/12/2015: I’ve determined that the problem is due to my attempts at creating a custom Windows.UI.Logon.pri file to display a logon screen background image. Neither the utility nor the PowerShell script referenced below create a Windows.UI.Logon.pri file that is acceptable to Windows. In the meantime, I’ve decided to just eliminate the “Hero” wallpaper in favor of a solid color.

Prior to KB3081424, I experienced a different problem at the Ctrl+Alt+Delete screen, where the lock screen wallpaper configured via Group Policy was not applied and the background was instead a solid blue color.

In both cases, the behavior was/is only evident when the registry value HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD is set to 0 (enforcing the Ctrl+Alt+Del screen). Deleting the DisableCAD value avoids the problem, however, it also removes the benefit of the secure logon screen.

When the computer is locked (for example, by hitting Ctrl+Alt+Del and selecting the Lock option) and the screen goes black, the following event is written to the Application event log:

Watching the LogonUI.exe process with Sysinternals Procmon shows that the process crashes when the computer is locked, causing the screen to go black. Hitting the Ctrl+Alt+Del key combination at the black screen launches a new LogonUI.exe process, the wallpaper image loads, and I’m taken to the logon page where I can enter my username and password and log on.

The problem exists on physical hardware as well as in a VMware Workstation 11 virtual machine, so I’m confident that it is not a driver-related issue. The only other particular thing about my setup is that I’m generating my own Windows.UI.Logon.pri wallpaper file using the utility discussed at: http://www.askvg.com/how-to-change-or-disable-login-screen-background-image-in-windows-10/ (although revisiting this page now indicates that .pri file generated by the utility may be responsible for lock screen problems).

Even if the Windows.UI.Logon.pri is the cause of the LogonUI.exe crashes, a bad file seems like something that the LogonUI process should tolerate.

I posted the problem to Microsoft’s Windows Feedback on 8/10/2015. A Google search turned up a few other people who have had problems at the lock screen, and there are a number of reports of similar problems going back a few versions of Windows.

This is just a quick post on creating a operating system-based collection query rule for Windows 10 in SCCM 2012. In preparation for the release of Windows 10, I have been working on an OSD task sequence that applies the Windows 10 Enterprise Insider Preview and creating collections in SCCM. There are a number of different ways to construct an operating system-based collection, but one method works more quickly than an alternative.

As you know, the System Center Configuration Manager client reports back details of the workstation or server environment to the SCCM management point, including information about the operating system. This information can be used to populate device collections through WQL queries of information in the SCCM database. But similar, if not equivalent, information is collected through different processes by the client, resulting in the SCCM primary site server potentially having incomplete details of a device. This is particularly evident when looking for details about a workstation computer shortly after it has completed an OSD task sequence.

After a Hardware Inventory cycle is run, SCCM will have access to the Operating System.Caption value, which will be, for the Windows 10 Insider Preview, “Microsoft Windows 10 Enterprise Insider Preview”. This query can be made more general by using the LIKE operator and then wrapping the search term in percent symbols: %Windows 10 Enterprise%.

But, if you want to be able to add computers to a collection before a Hardware Inventory cycle is run, you can use System Resource.Operating System Name and Version, which will be, for the Windows 10 Insider Preview, “Microsoft Windows NT Workstation 10.0”. This can be made more general by using LIKE operator and wrapping the search term in percent symbols: %Windows NT Workstation 10%.

The Query Statement that I am using to populate my collection of Windows 10 workstations is:

This SMS_R_System.OperatingSystemNameandVersion query is useful because it is able to locate computers in SCCM within a few minutes after they have been reimaged, before the client has run a Hardware Inventory cycle. My hunch is that the operating system name and version are being sent to the management point as part of a Heartbeat Discovery that happens soon after the computer finishes the OSD task sequence. I’ll check the logs to confirm this.

This article is intended for systems administrators who use Group Policy/Group Policy Preferences to manage computers in a domain environment.

Among the many challenges faced by Windows desktop engineers, configuring Internet Explorer in a corporate environment to provide a good balance of security and convenience stands out as particularly difficult to get right. I cannot think of any other piece of software that has required more of my time and effort to tailor to our needs than IE. Nor can I think of another application that generates as many non-error-related calls to our help desk. My project this week has been to develop a process for allowing approved ActiveX controls (ie., vetted controls used by business-purpose sites) to be silently installed and enabled by end users without granting sites more rights than needed.

While working on this project, I found that there is a good deal of interplay among multiple Group Policy settings that, once configured, permit standard users to download, install, and enable ActiveX controls so that web sites “just work”. This blog post should help you configure those settings in three steps.

Step 1: Download

The first order of business is to allow a standard user to download the ActiveX control files from sites in the Internet Zone. This can be done by configuring the “Download signed ActiveX controls” and the “Download unsigned ActiveX controls” Group Policy settings in Computer Configuration/Policies/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone. My understanding is that signed code from trusted publishers is always downloaded silently if the “Download signed ActiveX controls” setting is Enabled and the drop down menu item is set to Enable or Prompt. (It’s not clear to me why signed add-ons from trusted publishers wouldn’t be separately configurable here.) I have set “Download signed ActiveX controls” to Enable, and “Download unsigned ActiveX controls” to Prompt, although the more secure setting would be to Disable downloading unsigned controls.

Step 2: Install

The next order of business is to allow a standard user to install ActiveX controls for specific sites. This can be done by configuring the “Approved Installation Sites for ActiveX controls” setting in Computer Configuration/Policies/Administrative Templates/Windows Components/ActiveX Installer Service.

For each web site, enter the full domain name of the site where the ActiveX control is hosted (wildcards are not allowed) and provide a series of values governing the installation of trusted and signed, signed, and unsigned files, along with exceptions to HTTPS certificate errors. The default series of values is “2,1,0,0”, and I’ll expand on this later in the post. You may need to relax these settings for individual sites depending on whether the control is signed or if the site has HTTPS errors. Enter a detailed comment explaining the rationale for configuring the item (who configured it, when and why), so that you or another administrator can periodically revisit the list and evaluate whether the entries are still necessary and whether the settings are still correct.

A decent amount of thought needs to be given to the significance of the values, which are described more fully at Implementing and Administering the ActiveX Installer Service. The first three numbers in the default setting of “2,1,0,0” will (1) allow an ActiveX control that is signed by a certificate in the Machine or Enterprise Trusted Publishers store to be installed silently, (2) prompt the user before installing an ActiveX control that is signed by a certificate that is not in the Trusted Publisher Store, (3) and not install an unsigned ActiveX control.

For example, if we wish to allow the “Microsoft Update Catalog” ActiveX control to be silently installed when a user visits http://catalog.update.microsoft.com/v7/site/Install.aspx, we can add the domain name “http://catalog.update.microsoft.com” to the list and give it the values “2,1,0,0”. Because this ActiveX control is signed by a certificate in the Machine or Enterprise Trusted Publishers store, the first value “2” allows the silent installation.

If the user encounters an ActiveX control that can be downloaded but is not permitted to be installed silently, the user will receive a Security Warning pop-up window from the ActiveX Installer Service similar to the screen capture below.

Prompting the user for permission to install

In this case, the user encountered a signed ActiveX control that was not signed by a certificate in the Machine or Enterprise Trusted Publishers store. If we want to suppress this prompt so that the control will be installed silently, we would need to change the second number in the series to “2”, as so: “2,2,0,0”.

Step 3: Enable

As conscientious system engineers concerned about removing distractions for our users, we may wish to suppress the “This webpage wants to run the following add-on: ‘<add-on name>’ from ‘<company name>’.” warning/alert that appears in Internet Explorer when a user visits a site that loads an ActiveX control that has been downloaded and installed, but for which the ActiveX control is not yet enabled for the user.

This webpage wants to run the following add-on

To silently enable a specific ActiveX control for a specific domain for the current user, we can use Group Policy Preferences to create a registry value under HKCU with the Class ID (CLSID) of the add-on and the domain name where it is allowed to run. Be sure to enter a detailed comment explaining the rationale for configuring the item. The Class ID can be found via the Manage Add-ons dialog box (which means that the add-on will at least need to be downloaded).

For example, if we intend to allow the “Microsoft Update Catalog” ActiveX Control to be silently enabled to run on microsoft.com or any subdomain of microsoft.com, we may create the following registry key:

That’s all there is to it. When a user encounters a site that requires an approved ActiveX control, the control will be downloaded, installed, and enabled in the background.

How can I enable an add-on and prevent users from disabling it?

The Group Policy setting “Add-on List”, available in both the User Configuration and Computer Configuration, accepts a CLSID and a numerical value indicating how the add-on should be handled. A 0 (zero) indicates that the add-on should be disabled and users should be prevented from enabling it. A 1 (one) indicates that the add-on should be enabled and users should be prevented from disabling it. A 2 (two) indicates that the add-on should be enabled and users should be permitted to enable and disable the add-on through the Manage Add-ons dialog box.

However, in my experience, configuring an add-on with a value of 2 does not automatically enable the add-on for users, and they will see the yellow bar asking them if they want to enable or disable it when they open IE. I can’t quite see the use case for the value of 2.

The (User) setting is found at User Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management. The registry keys for add-ons configured via the “Add-on List” setting in the User Configuration, named by CLSID, can be found as subkeys under:

How do I get more information about an add-on?

The details of each downloaded or installed add-on can be viewed using the Manage Add-ons dialog box in IE. Locate the add-on in the list and click the More Information link to view the Class ID as well as other information. For example, the details of the Microsoft Update Catalog control referenced throughout this post look like this:

How do I get information about the ActiveX control file itself?

The binary file itself will be referenced in the HTML of the page that requires or installs the control. My preferred method of finding the binary is to use the DOM Explorer in IE’s F12 Developer Tools to view the rendered HTML of the page where the control is installed, and the search for the string “codebase”.

If we look at the HTML of the page at http://catalog.update.microsoft.com/v7/site/Install.aspx, we can find an OBJECT tag that contains the CODEBASE attribute which contains a relative path to a .cab file that is the control. As of this writing, the path is “ClientControl/en/x86/MuCatalogWebControl.cab?1429300094107#version=9.0.1268.0”. To find the absolute path to the .cab file, so that we can download it and inspect it, we need to join the URL of the page up to the last folder with the contents of the CODEBASE attribute, like so:

Entering that URL in a browser will allow you to download the file and look at it. In the case of a digitally signed file, viewing the Properties of the file will reveal a Digital Signatures tab with more details about the signer and the certificate. An ActiveX control can be a .cab, a .dll, or a .ocx file.

So why don’t I need to enable the Adobe Flash ActiveX control in this way?

According to the MSDN blog post Controlling ActiveX in Internet Explorer, certain controls are exempt from requiring user approval to be enabled, including Adobe Flash. You can find the Class IDs for these pre-approved controls at:

As an alternative to the GPP HKCU registry method of approving ActiveX controls described above, an administrator could create a Class ID subkey under the PreApproved registry key to pre-approve the ActiveX control for all users of the computer on all web sites. Setting such a subkey still permits the user to Disable and Enable the add-on through the Manage Add-ons dialog box.

For example, if we intend to approve the “Microsoft Update Catalog” ActiveX control to run on any site, we would create the following HKLM key, for example, during operating system deployment:

Using Trusted Sites

It is also possible to use the Trusted Sites zone as the mechanism for controlling installation policy for ActiveX controls. This can be done by configuring the “Establish ActiveX installation policy for sites in Trusted zones” setting in Computer Configuration/Policies/Administrative Templates/Windows Components/ActiveX Installer Service. The same options for trusted/signed, signed, and unsigned controls as well as exceptions for HTTPS errors exist in this setting, but they apply to any site in the Trusted Sites zone. Consider this carefully – once this setting is enabled and configured, any site in the Trusted Sites zone will be allowed to silently install ActiveX controls, even those sites that you may not wish to do so, and exceptions for signed/unsigned controls and HTTPS errors will be applied to all sites. This setting therefore offers far less granularity than configuring each site individually using the “Approved Installation Sites for ActiveX controls” setting described above.

You may need to disable unwanted ActiveX controls installed from these sites via GP by Class ID.

Sites can be added to the Trusted Sites zone via the “Site to Zone Assignment List” setting in User Configuration/Policies/Windows Components/Internet Explorer/Internet Control Panel/Security Page.

Microsoft’s recommendations

The Deployment Guy’s Enterprise Management of ActiveX Controls using ActiveX Installer Service blog post on TechNet describes some recommendations, including to install ActiveX controls only from reputable organizations, deploy commonly used ActiveX controls through your organization’s software deployment system rather than allowing controls to be installed automatically via the ActiveX Installer Service, and using only HTTPS hosted controls. These are excellent suggestions, but it’s not likely that your organization can follow all of these recommendations all of the time.

Troubleshooting

If ActiveX Filtering is enabled, IE prevents ActiveX controls from running on all web sites, except for those sites that have been added to the per-site exception list by the user. In IE11, if ActiveX filtering is enabled, a blue circle with a slash through it will appear on the right-hand side of the address bar.

If ActiveX Filtering is enabled via Group Policy, per-site exceptions can be created by a standard user by clicking on the blue circle with a slash through it in the address bar. Sites that have been added to the per-site exception list will be saved as registry values to the key at:

If Enhanced Protected Mode is enabled, add-ons must be compatible with Enhanced Protected Mode in order to run without user intervention.

Internet Explorer’s Enhanced Protected Mode

As with ActiveX Filtering, it is possible to populate a per-site exception list for Enhanced Protected Mode. Sites that have been added to the exception list by clicking the “Run control” button in the alert box will be saved as registry values to the key at:

I recommend reading the MSDN blog post Understanding Enhanced Protected Mode, which is a pretty technical explanation of the subject, noting the differences in its implementation between Windows 7 and Windows 8.

ActiveX control blocking

Internet Explorer 8 through 11 includes a feature called out-of-date ActiveX control blocking, which is another candidate for configuration through Group Policy. If left unconfigured, scary looking security warnings may be displayed to users stating that certain controls are out of date.

I needed to insert a short delay between two processes, so I whipped up a little VBScript that accepts an argument in seconds and then sleeps for that amount of time. If no argument is passed, it sleeps for 3 seconds. It writes to the Application event log before it sleeps and after it wakes.

Usage: sleep.vbs 5

It could be better, sure, but I’m humble about it. It doesn’t validate that the argument is an integer, for example. But it does the trick when used correctly.